European data protection bodies have promised to work closely with their Irish colleagues on multi-billion-euro complaints filed by Austrian privacy campaigner Max Schrems against Facebook and Google.
Hours after new EU data protection laws came into force on Friday, Mr Schrems launched his latest challenge to Facebook, and a new suit against Google, accusing them of “coercing” users into accepting their data collection policies.
The complaints strike at the heart of the big tech companies’ business model: providing “free” online services in exchange for user profiling based on collecting of user data.
Three complaints worth €3.9 billion were filed in the early hours of Friday morning against Facebook and two subsidiaries, WhatsApp and Instagram via data regulators in Austria, Belgium and Hamburg. Another complaint worth €3.7 billion was filed with French data protection authority France CNIL in the case of Google's Android operating system for smartphones.
They are the first legal tests of Europe’s new data protection rulebook, the General Data Protection Regulation (GDPR), which came into effect at midnight on Friday. It harmonises privacy rules across the bloc and foresees fines of up to four per cent of group turnover for breaches. The new lawsuits mark a fresh round of legal tug-of-war between the Austrian campaigner, Facebook and the Irish data protection commission (DPC), which began in 2011 and are ongoing.
A spokesman for the Irish Data Protection Commission noted that Mr Schrems's complaints were made to other EU data protection authorities earlier on Friday and that they would be forwarded to the Irish regulator should they come under the GDPR's "one-stop shop mechanism" that brings matters relating to Facebook and Google to the Irish authority given that their EU headquarters are based in Dublin.
“These authorities will forward them to the Irish Data Protection Commission, as provided for in the GDPR, if appropriate,” said the spokesman.
Mr Schrems, head of a new privacy lobby group noyb (None of Your Business), accused Facebook of “blackmail” for giving users only two options: accept the new rules – and hand over more data than needed to operate the service – or deactivate their account. In addition, noyb claims Facebook used “tricks” to keep its customers using the service. It claims Facebook created fake red dots suggesting new messages, which the user could only see if they agreed to the new terms of service.
“This is nothing more than an aggressive and absurd attempt to deprive data subjects of their rights,” the complaint adds.
The noyb complaints will test its entitlement under GDPR to run test cases for users, as well as new co-operation rules between national data protection bodies around Europe.
The Facebook case was filed by noyb with the Austrian data protection body DSB, which will now liaise with Ireland’s data protection commissioner (DPC). The same applies for the Instagram complaint, filed via Belgium’s DPA and the WhatsApp case, filed by noyb with Hamburg’s data commissioner (HmbBfDI) Prof Johannes Caspar.
“Nowhere else in European law was there, until now, such a wide gap between theory and practice as in data protection,” said Prof Caspar. “We have to decide quickly how to work best with our Irish colleagues on this.”
In the case of Google’s Android operating system, the noyb complaint says users of a new phone with the Android operating system are bounced into the Google ecosystem, something it calls a breach of GDPR informed consent rules.
Google, despite its Dublin headquarters is legally based in the US and the French regulator CNIL will investigate that complaint without the Irish authorities.